All Apps and Add-ons

Splunk Add-on for Unix and Linux: Is there a way to auto deploy this add-on to all my forwarders?

btcdirectinfra
Explorer

On the Splunk Light server (indexer + UI , configured to be Distributer) i did the following:
I installed the Splunk Add-on for Unix and Linux (Splunk_TA_nix) according to instructions.
I set up the class so all my servers are included for this app.
Configured which scripts it should run (external data input scripts)
I restarted several times.

Each server I want to monitor has an Universal Forwarder installed.
Now, only 2 out of the total 5 forwarders return "Splunk_TA_nix app" metrics.
They are all identical in OS, Firewalling, Forwarder installation procedure.
Is there a way to make this work, without changing each forwarder individually? Because if it were like 500 instead of 5 forwarders, i would have a problem.

Thanks in advance.

0 Karma
1 Solution

btcdirectinfra
Explorer

So i logged in to each server and added the forwarder address again (just to be sure) and restarted splunk.
Nothing changed.
But the local logs pointed out that deployment command of the Splunk_TA_nix app was sent from the deployment server.
So then i turned on all the scripts (Splunk indexer > GUI > data inputs > external scripts > enabled a lot of them).
So i see that the cpu script does not return data from all servers, but the uptime script does.
I am still looking into the environment differences that can explain this different behaviour.

View solution in original post

0 Karma

circleup
Explorer

Can you clarify how you "set up the class so all [your] servers are included for this app"? When I try to edit apps for my server classes, I don't see this add-on available. And when I go to "Set Up" for the add-on, it just points me to the documentation.

I'd prefer to not have to manually install it on every forwarder but rather have them deployed centrally. Thanks!

0 Karma

btcdirectinfra
Explorer

So i logged in to each server and added the forwarder address again (just to be sure) and restarted splunk.
Nothing changed.
But the local logs pointed out that deployment command of the Splunk_TA_nix app was sent from the deployment server.
So then i turned on all the scripts (Splunk indexer > GUI > data inputs > external scripts > enabled a lot of them).
So i see that the cpu script does not return data from all servers, but the uptime script does.
I am still looking into the environment differences that can explain this different behaviour.

0 Karma

btcdirectinfra
Explorer

So then i installed the sysstat package on those (forward) servers with: yum install sysstat
Fixed it!
(To understand why one server already had this package installed, well.. maybe i once needed it and forgot about it).

Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...